Date: Thu, 24 May 2012 14:22:32 -0400 (EDT) From: "Brad Tilley" <brad@...ystems.com> To: john-users@...ts.openwall.com Subject: Re: Can Excessive Rounds make Password cracking Infeasable > On 05/24/2012 08:06 PM, Brad Tilley wrote: >> This is slightly off-topic as it does not specifically relate to John >> use, >> but I wanted to ask the opinions of others here. When do rounds make >> password cracking infeasible, or do they? For example, the hash below is >> a >> SHA-512 hash with 391939 rounds applied. You can actually feel the delay >> at logon (about 2 seconds on newer machines): >> >> test:$6$rounds=391939$UqhsyLSZ$F/K1CGpBf9yefYXCRbY5uK/LW1HzW8EiPCzdq8PMVvZ4JLhb4F464ps87MX/YwYEI0s62KIsnZBuCt45a.A4I0:1002:1002::/home/test:/bin/sh >> >> The source code of sha512-crypt.c sets this as the maximum number of >> rounds so Linux sys admins could configure this number even higher: >> >> /* Maximum number of rounds. */ >> #define ROUNDS_MAX 999999999 >> >> So long as the passwords are sufficiently complex and users can't select >> simple words such as 'password' for their password, I would think that >> these hashes are close to un-crackable (certainly not in a reasonable >> time >> period anyway). What do other John users think? > > The problem is, even a delay of 2 seconds during login might be > unacceptable. > If you don't have a single-user system, but a server that is used by > thousands of users who all login at nearly the same time, the possible > delay will be much longer, and the server will hardly be usable for > other activities during those times. > > Frank Yes, thanks Frank. I understand that and have no disputes or questions about that. My question is about the feasibility of cracking such hashes. Brad
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.